This article provides prerequisites and onboarding steps for Microsoft Sentinel.
Prerequisites
- You must be able to log into Microsoft Entra as a user assigned the Global Administrator or User Administrator role.
- Make sure your Sentinel instance is connected to your Microsoft Defender portal per Microsoft's instructions. This ensures Expel will be able to poll alerts from Sentinel.
Quick Links
Expel uses API integrations to connect directly to the Microsoft Azure platform. We support authentication through an Microsoft Entra ID app. To collect data, Workbench communicates directly with APIs, including the Microsoft Security Graph API to poll alerts from Microsoft Sentinel. Workbench also queries Azure Log Analytics to enrich Sentinel alerts with the Azure Log Analytics context that originally generated that alert.
About console permissions in your devices
As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from one device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench. For more information, see Why Expel Asks for Console Access.
Microsoft Sentinel permissions and roles
Expel Workbench requires a combination of Microsoft Entra ID Application permissions as well as a role assigned to the Microsoft Entra ID application.
To make requests to the Microsoft Graph Security API, the Microsoft Entra ID Application must have this Microsoft Graph API permission:
| This permission... | does this... |
|---|---|
| SecurityEvents.Read.All | Allows the app to read your organization’s security events on behalf of the signed-in user. |
| SecurityAlert.Read.All | Allows the app to read all security alerts on behalf of the signed-in user. |
| SecurityIncident.Read.All | Allows the app to read security incidents on behalf of the signed-in user. |
To query Log Analytics workspace data, the Microsoft Entra ID Application must have this Log Analytics API permission:
| This permission... | does this... |
|---|---|
| Data.Read | Reads Log Analytics data. |
The Microsoft Entra ID Application must also be assigned this role either for the subscription that contains the Microsoft Sentinel Workspace or directly w/ the Microsoft Sentinel Workspace.
| This role... | does this... |
|---|---|
| Log Analytics Reader | Views and searches all monitoring data as well as views monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. |
Remediation Capabilities
| This permission... | does this... |
|---|---|
| Disable user account | Allows the app to enable and disable users' accounts, on behalf of the signed-in user. |
Step 1: Enable Console and Cross-Tenant Access for Expel
Note
If your organization has already created a new Expel account for console access and enabled cross-tenant access for another Microsoft integration, you may skip to Step 2. The same "<Your Organization GUID>@soc.expel.io" account provides access across all Microsoft services.
Enable Console Access for a New Account
Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.
- Log in to the Microsoft Entra Admin Center as a user assigned the Global Administrator or User Administrator role.
- Navigate to Entra ID > Users > All Users.
- Select User > Invite external user.
- On the Basics tab, include the following:
-
Email - enter "<Your Organization GUID>@soc.expel.io". For example,
a123bc45-aa12-123b@soc.expel.io- You can find your Organization GUID in the Organizations tab of Workbench.
- Display Name - enter "Expel SOC".
-
Email - enter "<Your Organization GUID>@soc.expel.io". For example,
- On the Assignments tab, configure the following:
- Select Add role.
- Search for and select Global Reader. Note: This role provides read-only access across most Microsoft 365 and Azure management consoles.
- Select Review + invite and then Invite.
The user account will be added to your directory as a guest, and an invitation email will be sent allowing the Expel SOC to create an account and complete console access configuration in Workbench on your behalf.
Enable Cross-Tenant Access
In this step you will add Expel as an external organization and configure inbound trust.
- Still in the Microsoft Entra Admin Center, navigate to Entra ID > External Identities > Cross-tenant access settings.
- Select the Organizational settings tab.
- Select Add organization.
- On the Add organization pane, enter Expel’s tenant ID:
1cde81fd-b430-4035-b24d-709921922876 - Select Expel from the search results, and then select Add.
- In the Organizational settings list, locate the Expel row and select Inbound access.
- On the "Inbound access settings - Expel" page, select the Trust settings tab, and configure the following:
- Select Customize settings.
- Enable Trust multifactor authentication from Microsoft Entra tenants.
- Enable Trust compliant devices.
- Enable Trust Microsoft Entra hybrid joined devices.
- Under Automatic redemption, enable Automatically redeem invitations with the tenant Expel.
- Select Save.
Step 2: Enable API access for Workbench
To integrate Microsoft Sentinel with Workbench, we need to create secure credentials to the API. You have 2 options for enabling API access:
In most cases, enabling the Enterprise Application (option 1) is the recommended approach. However, because Enterprise Application supports access for multiple Microsoft integrations (Azure, Microsoft Sentinel, Azure Log Analytics, and so on), the permissions granted to the Enterprise Application can be more than the minimum required for the Microsoft Sentinel integration alone.
The second option is for cases where the absolute minimum permissions are required. In either case, the table below lists the required items that should be obtained during this step:
| Item we need | Description |
|---|---|
|
Directory (Tenant) ID |
A unique identifier for your Azure instance. Workbench needs this information to route our API requests to the right place. |
|
Application (client) ID (Option 2 only) |
A unique identifier for the application you create that grants Workbench the access it needs to your Azure instance. |
|
Application (client) Secret (Option 2 only) |
The API secret that allows Workbench to authenticate as the created application to your Azure instance. |
Option 1: Enable the Expel Azure Integration Enterprise Application within Azure
- As an Administrator, navigate to the Expel Admin Consent Page.
- Review and accept requested permissions.
-
The Expel Azure Integration app should now appear under Enterprise Applications. Review properties and make sure that all permissions are properly granted. These permissions are:
This permission... allows this... User.Read Users to sign in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. SecurityEvents.Read.All The app to read your organization’s security events without a signed-in user. User.Read.All The app to read user profiles without a signed in user. Data.Read This application to access Log Analytics data. SecurityAlert.Read.All This application to read all security alerts. SecurityIncident.Read.All This application to read all security incidents. User.ReadWrite.All
Optional: Only required if you opt in to auto remediationsThis application to read and update user profiles without a signed-in user.
Note: Write permissions are required for disabling and resetting user credentials as part of Expel's remediation capabilities.
Write down the Directory (Tenant) ID when viewing the ExpelAzure Integration application for use in later steps.
Option 2: Create custom Microsoft Entra ID application
- As an Azure administrator, log in to the Azure Portal and open Microsoft Entra ID.
- Navigate to App registrations and create a new app by clicking + New registration.
-
Fill in the application details. You can fill these in however you want, but we recommend the following:
- Name: Expel Cloud Service.
- Supported account types: Accounts in this organizational directory only (first option).
- After you fill out the fields, click Register to create the new application.
-
The Settings page opens for the Expel Cloud Service app you just created.
If not, navigate to App Registrations > View all applications (if you don’t see the new app) > Expel Cloud Service.
- Make a note of the Application (Client) ID and the Directory (Tenant) ID for use in later steps.
-
Open API permissions. Click + Add a permission. Add these permissions.
In APIs my organization uses, locate this permission... select this value and click + Add permissions. type Log Analytics and select Log Analytics API > Application Permissions. Data.Read type Microsoft Graph and select Microsoft Graph > Application Permissions. SecurityEvents.Read.All
SecurityAlert.Read.All
SecurityIncident.Read.All
User.Read.All - Click APIs my organization uses, type Log Analytics and select Log Analytics API > Application Permissions.
- After permissions are assigned, click Grant admin consent, and Yes at the prompt.
-
Navigate to Expel Cloud Service>Certificates & secrets to begin creating an API key (aka client secret). To create a new key, click + New client secret.
- Add a description for the secret (for example, ExpelAPI) and select Never for expiration. Click Add to create the secret.
- You see a new client secret (API Key) appear under Client secrets. Copy the value and ID and save it for later. It disappears after you navigate away from this screen.
Step 3: Enable Azure Log Analytics and Microsoft Sentinel access
Microsoft Sentinel can be run on top of multiple Azure Log Analytics workspaces. These workspaces are used as data stores for the Microsoft Sentinel service. Querying these Azure Log Analytics workspaces allows Expel to enrich Microsoft Sentinel alerts with the Azure Log Analytics context that originally generated that alert.
To view all Azure Log Analytics workspaces associated with Microsoft Sentinel, navigate to the Microsoft Sentinel blade within the Azure Portal.
The Azure Log Analytics Reader role must be given to the Microsoft Entra ID application created in Step 2 for each of the Microsoft Sentinel-enabled Azure Log Analytics workspaces to be monitored. Access can be granted in 2 ways or through some combination.
- Option 1: Per individual Azure Log Analytics workspace.
- Option 2: For all workspaces within an Azure subscription.
Tip
The Expel Microsoft Sentinel integration only monitors Microsoft Sentinel running on top of Log Analytic workspaces that it's allowed to read from. If Microsoft Sentinel is running on top of a Azure Log Analytics workspace that are not granted permissions through the following steps, it isn't monitored.
Option 1: Enable Azure Log Analytics and Microsoft Sentinel access per workspace
The following steps outline how to enable Azure Log Analytics and Microsoft Sentinel Reader roles per a single Azure Log Analytics workspace. These steps must be repeated for each monitored Azure Log Analytics workspace:
- As an Azure administrator, log in to the Azure Portal.
- In the navigation pane, select Azure Log Analytics workspaces.
- Click the name of the workspace whose role assignments you want to change.
- Click Access Control (IAM) > + Add > Add role assignment.
-
In the Add role assignment pane set the following fields:
- Roles: Azure Log Analytics Reader and Microsoft Sentinel Reader
- Assign access to: Microsoft Entra ID user, group or application.
- Select: Search and click the Microsoft Entra ID app created in Step 2.
-
Click Save.
Repeat these steps for all workspaces to be monitored.
Option 2: Enable Azure Log Analytics and Microsoft Sentinel access per subscription
The following steps outline how to enable Azure Log Analytics and Microsoft Sentinel Reader roles per an Azure Subscription. Repeat these steps for each monitored Azure Subscription.
- As an Azure administrator, log in to the Azure Portal.
- In the navigation pane, select Subscriptions.
- Click the subscription whose role assignments you want to change.
- Click Access Control (IAM) > + Add > Add role assignment.
-
In the Add role assignment pane set the following fields:
- Roles: Azure Log Analytics Reader and Microsoft Sentinel Reader
- Assign access to: Microsoft Entra ID user, group or application.
- Select: Search and click the Microsoft Entra ID app created in Step 2.
-
Click Save.
All Azure Log Analytics workspaces within this subscription can be monitored.
Repeat these steps for any other subscriptions to be monitored.
Step 4: Configure Microsoft Sentinel in Workbench
Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.
Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
- In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=azure_sentinel.
-
Complete all fields using the credentials and information you collected in Step 2 and Step 3.
Field name What to put in it Name What you want to name the security device. Location Microsoft Cloud Directory (Tenant) ID Microsoft Entra ID Tenant/Directory ID Application (Client) ID
(Option 2 only)
The Azure Application (Client) ID that we saved in Step 2, Option 2. Application (Client) Secret
(Option 2 only)
The Client (Application) Secret that we saved in Step 2, Option 2. Workspace IDs
(optional)
This optional field accepts a comma-separated list of Azure Log Analytics workspace IDs. By default, the integration monitors any workspaces which have permissions assigned in Step 3. This field can be used to define a subset of those workspaces that should be monitored. This can be useful when assigning permissions at the Azure subscription level, but you want to only monitor some Microsoft Sentinel workspaces within that subscription.
To get the Azure Log Analytics workspace ID associated with an Microsoft Sentinel workspace:
- Navigate to the Microsoft Sentinel blade within the Azure Portal.
- Click the Microsoft Sentinel workspace.
- Click Settings > Workspace Settings and the Workspace ID is listed at the top of the Overview.
-
Click Save.
- On the console access screen, select Set up later. Expel will set up console access using the invitation you sent in Step 1.
You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.
To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.